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@ Video control system. 

(g) A video control syslan Includes a central facflity (11) and a tenminai (10). Video program m^re 
provided the terminal with a video program including a series of television fields inchjding a first field 
containing l)oth a random digitai code encrypted accading to a code encryption key and program 
identification data, and a second field containing an uninteiiig&Ie video signal previously transformed 
from an inteHfellrfe video signal according to the random digital code. The tennlnal (10) Includes means 
(22) for sending the program identification (teta to the central facOity (11). The central fecBily includes a 
data base (19) for storing and retrieving at least one code encryption key conresponding to the program 
identification data and means (20) for sending the code encrypticm key from the central facflity (11) to 
the terminal (10). The terminal (ID) further indudes means (22) for receivfrig the code enciyptkm key 
from the centrd facBity, decrypting means (23) for decrypting the encrypted digftal code of the first 
frame in accordance vwth the code encryption key and means (24) for transforming the unintelligible 
video signal of the second frame to the intelligible video signal using the decrypted random digital cwfe. 
The video program means may transmft the program to said terminal (10) or be located at the terminal 
(10) for playing a video recording medium storing the program. 
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This invention is concerned with video control 
systems. It is desirable to provide a video control sys- 
tem which decrypts encrypted broadcasts or recorded 
copies of video material such that the subsequent 
viewing is controlled. This allows the owner to either 
forbid viewing, or collect revenue at his or her discre- 
tion. 

In the prior art. a software distribution system is 
known wherein a computer program Is downloaded 
once, followed by an access key to allow use of it on 
each subsequent use. This system uses a dynamic 
key that constantly changes, and is directly related to 
a user's decoder box, both by ID and an internal 
dynamic counter 

Also known is a video system that autonomously 
controls the viewing of a recording for either 24 hours 
or once only. It does not have the power of control 
de^red. 

Accordingly the present invention provkJes a 
video system comprising: a central facility; a terminal; 
and video program means for providing to said termi- 
nal a vkJeo program including a series of television 
fields including a first field containing both a random 
digital code encrypted according to a code encryption 
key and program klentification data, and a second 
field containing an unintelligible video signal previ- 
ously transformed from an intelligible video signal 
according to said random digital code; said terminal 
including means for sending said program identifi- 
cation data to said central facility; said central facility 
including a data base for storing and retrieving at least 
one code encryption key corresponding to the prog- 
ram identiftcation data and means for sending said 
code encryption key from said cenb-al facility to said 
terminal; said terminal further including means for 
receiving the code encryption key from said central fa- 
cility, decrypting means for decrypting the encrypted 
dig^l code of said first frame in accordance with said 
code encryption key and means for transforming said 
unintelligible video signal of said second frame to said 
inteliigit)le video signal using the decrypted random 
digital code. 

One embodiment of the inventk>n will now be des- 
cribed, by way of example, with reference to the 
accompanying drawings in which: 

Figure 1 Is a block diagram of a video system 

embodying the invention; and 

Figure 2 shows an encryptk>n arrangement 

according to the inventk>n. 

Reference is made to Figure 1 which is a block 
diagram of a video system 10 embodying the inven- 
tion. The video system comprises a central facility 1 1 , 
a terminal 12, and a duplex comimjnicatbn link 13 be- 
tween central facQity 1 1 and terminal 12. An overview 
of the system Is first given. 

Terminal 12 ts provided with a video program 
including a series of television fields including a first 
field containing bolh a random digits code encrypted 



according to a code enctyption key and program iden- 
tification data, and a second fieUi containing an unin- 
telligible video signal previously transformed from an 
inteDigible video signal according to the random digital 
5 code. 

The vkieo program may be transmitted by broad- 
cast, cable, satellite, fiber, or any other transmission 
medium 14. Alternative the video progmm may be 
stored on a video recording medium 15 such as mag- 
10 netic tape or video disk and played by player 16. The 
unintelligible video signal may be either anatog or digi- 
tal. 

A second field has a vertical blanking interval con- 
taining both a random digital code encrypted accord- 

15 ing to a code encryption key and program 
identiftcation data, Is followed by a third field contain- 
ing an unintelligibie video signal previously transfor- 
med from an intefligibla video signal according to the 
random digital code of the second field. 

20 Terminal 12 includes means 17 to store terminal 
Identification data and means to send to the central fa- 
cility 11 the temiinal Identification data and the prog- 
ram identification data over link 13. 

Central facility 1 1 includes a data base 1 9 for stor- 

25 ing and retrieving at least one code encryption key 
corresponding to the program klentification data, 
means 20 for sending the code encryption key from 
the central facility 1 1 to the terminal 12, and means 21 
for generating billing data based on both terminal 

30 identification data and program identiftcation data. 

Terminal 1 2 furthw including means 22 for reced- 
ing the code enoyption key from central facBity 11, 
decrypting means 23 for decrypting the encrypted 
random digital code of the first frame in accordance 

35 with the code encryption key, and means 24 for b^ns- 
fomning the unintelligible vuieo signal of the second 
firanne to the intelligtbte video signal using the decryp- 
ted random digital code. 

Each terminal 12 nnay have a terminal spedfie 

40 encryption key and means 1 8 to send to the central fa- 
ctlity the program identification data and the terminal 
11 identificdtlon data encrypted according to the ter- 
ntinal specific encryption key. The central facility 11 
has means for storing a duplicate of the terminal 

45 specific encryption key, means for encrypting the 
code encryption key according to the terminal specific 
encryption key; and means for sending the encrypted 
code encryption key from central fadltty 1 1 to terminal 
12. 

$0 Terminal 12furtherinclude3means22fbrreceh^- 
Ing the encrypted code encryption key from centrrf fa- 
cility 1 1 , decryption means 23 for decrypting the code 
encryption key according to the terminal specific 
encryption key. and decrypting the encrypted random 

55 digital code of the first frame in accordance with the 
code encryption key, and means 24 for transforming 
the unintelligible vkieo signal of the second frame to 
the intelligible video signal using the decrypted rarv 
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dom digita) code. 

Terminal 12 includes means to encrypt the temii- 
nai Identification data according to the terminal speci- 
fic encryption key, means to send unencrypted 
terminal identrTication data and encrypted tenninal 5 
tdentrication data to the central facility, which in turn 
Includes means to compare unencrypted and encryp- 
ted terminal Identification data to verify terminal iden- 
tity. 

A plurality of code encryption keys may be used io 
for one program wherein a desired code encryption 
key is selected from the plurality of code encryption 
keys in accordance with code encryption key identifi- 
catton data corresponding to the random digital code. 

Vark)us features of thesystemare nowdiscussed is 
in more detail. 

System 10 controls the viewing of video prog- 
rams, by whk:h is meant any video material, either 
transmitted or recorded, in television fonmat consist- 
ing of a series of fields of lines. Two interlaced fields 20 
make up a television frame. 

Vkleo programs are rendered unintelligible, e.g. 
scrambled, by any analog or digital method, and are 
made Intellrgible, e.g. descrambled, using random 
dfgital codes located in ftelds. The random digital keys 25 
are themsehres encrypted, and decrypted by a one or 
more key obtained from a database located at the 
central facility, along with user-specific information at 
the time of viewing. The system does not stop copy- 
ing. It controls viewing, while protecting revenues. As 30 
such, it can encourage copying, which could ease the 
distribution Issue by controlling the playback such that 
revenue can be collected each time. 

Preferably duplex communication fink 1 3 is a con- 
tinuous data channel between a tenrtinal and a central 35 
facility such as an ISDN D-channel or by nKxJem over 
a regular phone line. 

The video program is encrypted, and needs a 
decrypter in the terminal for viewing. The decrypter 
uses data embedded in the video program along with 40 
a data access to correctly perform the decryption, so 
the process is completely controlled. The embedded 
date and key transfer from the remote datebase may 
be protected with public domain encryption techni- 
ques, providing htgh level security before first viewing. 45 

The vkleo program may be recorded as is, but it 
is still unviewable. To view it, the decrypter is used, 
along with the encr^ted emt>edded date, and an 
access to a secure datebase, to p^omn the decryp- 
tion. Recordings may be freely copied, but remain so 
unviewable unless used with the decrypter. 

To view the programs requires access to the 
datebase using encrypted date transfer. This process 
yieMs the control of the video prograra whether 
recording or trans mission. The decrypter requires 55 
one or more keys thai arrives from the datebase. To 
get the key, infcmnation from the vkieo program as 
well as terminal identKicaUon is sent to the datebase. 



A direct Electronic funds Transfer (EFT) debit can 
be peifonmed using the information. It the program is 
a video store copy, the EFT could Include the store fee 
and the copyright fee. Note that the video distributkm 
to video stores becomes trivial, as they are encour- 
aged to take a direct recording with a video store key, 
along with their authorized converter box, and make 
as many copies as they like. The revenue control 
tekes place at viewing time. This encourages a share- 
ware type of distribution. 

A passkey can be sent to the datebase, to allow 
viewing of questfonalrfe taste filnr\s by adults, control- 
ling access by minors. 

On the first access, the datebase will capture a 
signature derived from the user's equipment and the 
recording, and store it for subsequent tracking. As 
there is a compelled datebase access in this process, 
data on usage may be collected. This same process 
may be used for revenue collection. 

The system preferably uses at least one 
downloadable key, an encrypted video program that 
uses the key for decryption, and date stored in a fioW 
of the video program. It may be implemented in an all 
digital, analog, or mixed analog/digital environment 

The video programs are encrypted, with date 
relating to the programs, e.g. where and when, who 
transmitted it The date may also contein part of the 
decryption key. This infonmation would be extracted 
from the signal, and used to access a datebase. main- 
tained by the program's owners, loobtein an encryp- 
ted key for the decrypter. After a subscriber and/or a 
credit check is successfully completed, the one or 
more keys would be transmitted. At this tinw the 
owner has obtetned usage data, with a specific usefs 
ID, and has the option of billing him. If it is a free pro- 
grem, at least the viewer date is avaQabte. 

If a user records a transmission or another 
recording, he captures the encrypted signal, along 
with embedded date, as described above. This 
accomplishes the signature part of the process. A 
recording aeated by this method may be on a regular 
VCR. but is encrypted and individually marked. Copy- 
ing a recording does not affect the system, as the rere- 
cording is only usable with the correct keys. 
Potentially, the first few minutes of a program ntight be 
vewable without the need of a key, to allow the user 
to see what the contents of the program are, as well 
as to allow time for the datebase access and key 
synchronization process. 

To play a recording back, it is necessary to re-ob- 
tein the one or more keys. The comblnalton of date 
stored in a field is used to access the datebase. Bef- 
ore the keys are made avallabte, there is a check that 
the terminal identification and the ^bedded date 
matoh. 

In the case wherein a rec(^ding Is rented from a 
video store, a code may identify the store. The dateb- 
ase recognizes the recording as a rental copy» and 
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charge either the user m the video store a fee. If the 
recording is viewed a second time, the charge is 
repeated. In the event a copy fe made, when it is 
played, the datat>ase wiO identify the originating video 
store. Iwt not the actual copier. However, if validation 
is performed at rental time, there would be some 
measure of control. If the entire charging process 
were to be reversed* such that the viewer canies all 
the liabOity for charges, then copying is encouraged, 
as per sliareware, and the distribution problem is mini- 
mized, while revenues are maintained on a usage 
basis. 

The program's owner has the responsibility to get 
a secured copy to whoever deals with the distribution 
of the programs. The programs are encrypted, and 
require a database update to enable viewers to make 
use of the program. The viewer has a terminal includ- 
ing a decrypter. linked to the central facHity's datab- 
ase via an automatic dial-up. that, when enabled, 
decrypts the video program. As appropriate, there can 
be credit checks and billing from the database, as well 
as statistics collection. 

The encryption has two levels, one for protection 
of video decryption codes on the program, and one for 
protectton of messages between the tenninat and the 
central facility. Both may use the NBS Data Encryp- 
tton Standard (DES). 

DES encryption and decryption may be 
implemented with a commercial Motorola 6859 Data 
Security Device or simitar product at the tennlnal and 
at the central facility. 

The decryption code itself is protected by being 
DES-encrypted. The decryption key is not on the 
video program but Is retained in the database at the 
central facility. A program identification number and a 
decryption key number allow the central facility to 
recover the decryption key itself and send it to the ter- 
minal for decrypting the decryption codes. 

A different DES decryptton key is not required for 
every field. One key can span several fields. DES key 
requests and acknowledgements from the terminal 
may also act as keep-alive messages to the central fa- 
cBity. 

DES decryption keys are transmitted from the 
central facility to the terminal protected by a higher-le- 
vel DES "session" key. tenmin al requests for new keys 
as the tape progresses are also protected by the DES 
session key. This key Is generated by the central fa- 
cility at the beginning of the session and remains vaiki 
for the duratbn of the session. The terminal begins 
the session using a tenninal-unique DES key stored 
In a ROM. 

Frame contents are transferred from the Analog 
Subsystem to the DCSS and the decrypted decrypUon 
code from the DCSS to the Analog Subsystem over 
the analog interface shown in the Figure. Transfer of 
data between the subsystems may be coordinated by 
means of the vertical and horizontal blanking signals 



and their derivative interrupts. 

All messages between terminal and central fa- 
cOity use Cyclic Redundancy Code (CRC) checking to 
verify message integrity. The CRC-CCriT generating 

5 polynomial generates two block check duiracters 
(BCC) for each message. If the tenminal receh^es a 
message that is not verified by the BCC, \l sends a 
request (ARQ) to the cenb^ facflity to retransmit the 
last message. The central faciity does not attempt to 

10 ARQ garbled messages. It discards them and wails 
for a tenminal to send again. 

Message exchange in the VCS is by a positwe 
acknowledgent scheme in which a response of some 
kind is expected for every message sent For 

IS example, a terminal expects a DES deoyptlon key 
message after it sends a request for the sante; the 
central facility expects a key receipt acknowledge 
after it sends the key message. 

When a user begins to play a protected program. 

20 the temoinal initiates a session by sending a "session 
start" message (STS) to the central facility containing 
user and program identifications. The message con- 
tains message type, user number and CRC code in 
the clear, but the balance of the message is DES- 

25 encrypted with the inWal DES session key stored in 
the terminal ROM. (The user identification is also 
stored in ROM.) The central facilily uses the unen- 
crypted data to access its database and find the user 
DES value for decrypting the remainder of the mes- 

30 sage. 

The central facility authenticates the message by 
comparing dear and decrypted user numbers. If the 
user numbers are identical, the central facilily then 
confinns that the program serial number is valid. The 

35 central facility may also check user credit. If all is well, 
the central facility accepts the session and generates 
a new {and random) DES key that is unique for that 
session. It encrypts this using the initial user value in 
the database and sends it to the terminal, which deo- 

40 rypts the message and stores the new value in Its 
database (MCU RAM) as the session key for the 
remainder of the session. 

The central facility then uses the tape and decryp- 
tion key number in the STS message to recover a set 

45 of DES decryption keys for the program from the 
database. These are encrypted with the session key 
and sent to the terminal at the start of a sesskm or dur- 
ing the course of a session. 

The tenninal generates session start key ack- 

50 nowiedgement and ARQ messages. The central fa- 
cOity responds in kind. Both the central facility and the 
terminal generate and verify block check characters. 

The preferred embodiment and best mode of 
practicing the invention have been described. Alter- 

55 natives now will be apparent to those skiDed m the art 
in light of these teachings. Accordingly the invention 
is to be defined by the following claims and not by the 
particular examples given. 
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Claims 

1. A video system comprising: 
a central facQity; 

a terminal; and s 
video program means for providing to said termi- 
nal a video program including a series of televi- 
sion fields including a first field containing t>oth a 
randcmi digital code encrypted according to a 
code encryption key and program identification io 
data, and a second ftetd containing an unintellig- 
ible video signal previously transformed from an 
intelligible video-signal according to said random 
digital code; 

said terminal including means for sending is 
said program identificaUon data to said central fa- 
cility; 

said central facility including a data base 
for storing and retrieving at least one code 
encryption key corresponding to the program 20 
identification data and means for sending said 
code encryption key from said central facility to 
saki terminal; 

sakl terminal further including means for 
receiving the code encryption key from said cent- 25 
ral facility, decrypting means for decrypting the 
encrypted digital code of sakj first fran^ in 
accordance with said code encryption key and 
means for transforming said unintelligible video 
signal of said second frame to said intelligible 30 
video signal using the decrypted random digital 
code. 

2. The system of claim 1 wherein a plurality of code 
encryption keys are used for one program, and 35 
wherein a desired code encryption key ts selected 
from said plurality of code encryption keys in 
acGOfdance with code encryptton key Mentifh 
cation data corresponding to the random digital 
code encrypted with sakJ desired code encryption 40 
key. 

3. Thesystemofdaknl or 2 wherein said video pro- 
gram means is means for transmitting said prog- 
ram to saki terminer. 4S 

4. The system of daim 3 wherein saki means for 
transmuting Is a CATV system. 

5. The system of any one of claims 1-4 wherein: so 

saki terminal further includes means to 
store tenmfnal klenOficatton data and a terminal 
spedftc enoypb'on key; and means to send to 
saki central fac9ity saki terminal ktentification 
data wfth said program Identiftcation data; 55 

sakt central facOfty further indudes means 
for storing a dupltoate of saki temilnal specific 
encryption key; means for encrypting saki code 



encryptbn key according to saki terminal specifrc 
encryptbn key; and means fc»r sending the 
encrypted code encryption key from said central 
facility to said terminal; and . 

said temiinal further further indudes 
means for receiving the encrypted code encryp- 
tion key from said central facility; and decryptbn 
means for decrypting said code encryption key 
according to said terminal specific encryption 
key. 

6. The video system of any one of daims 1-4 whe- 
rein: 

said tenminai further indudes means to 
store temiinal identificatk>n data and a terminal 
specific encryptbn key; and means to send to 
said centra] facility said program Uentrfication 
data and saki terminal identificatk)n data, 

said central fadlity further indudes means 
for provkling a sessfon encryption key; means for 
encrypting said session encryption key according 
to said terminal specific encryption key; means 
for sending the encrypted session encryption key 
from saki central facQity to said temrtlnal; 

means for encrypting said code encryption 
key according to said encrypted session encryp- 
tion key; and means for sending the encrypted 
code encryption key from said central facility to 
said terminal; and 

said tenminal further indudes means for 
receiving the encrypted sessfon encryption key 
from said central facility; decryptbn means for 
decrypting said session encryptton key according 
to said terminal specific encryption key, means 
for receiving the encrypted code encryptton key 
from said central facility; and decryption means 
for decrypting saUi code encryption key according 
to saki session encryption encryption key. 

7. The system of daim 5 or 6 wherein said terminal 
includes means to encrypt saki terminal identin- 
catk>n data according to said tenminal specific 
encryption key, and means to send unencrypted 
terminal identiftcation data and encrypted t^mW 
nal kientrficatton data to said central fadlity, and 
said central fadlity indudes means to compare 
unencrypted and encrypted terminal Identificatton 
data to authenticate terminal identity. 

8. The system of any one of daims 5-7 wherein saki 
central facility further indudes nteans for generat- 
ing billing data based on said temunal identifh 
catbn data and said program identificatton data. 

d. The video system of any one of daims 1-8 whe- 
rein said video program means is a means 
located at said t^fnal for playing a vkieo record- 
ing meditmt storing saki program 
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10. A video recording medium storing a video prog- 
ram including a senes of television fields includ- 
ing a fifst field containing both a random digital 
code encrypted according to a code encryption 

key and program identification data, and a sec- 5 
ond field containing an unintelligible video signal 
prevbusty transformed from an intelligible video 
signal according to said random digital code. 

11. The medium of claim 10 wherein a plurality of io 
code encryption keys are used for one program, 

and wherein a desired code encryption key is 
selected from said plurality of code encryption 
keys in accordance with code encryption key 
Identification data corresponding to the random js 
digital code encrypted with sard desired code 
encryption key. 

12. The medium of claim 10 or 11 wherein said sec- 
ond field has a vertical blanking interval contain- 20 
ing both a random digital code encrypted 
according to a code encryption key and program 
identification data, and is followed by a third field 
containing an unintelligible video signal previ- 
ously transfonned from an intelligible video signal 25 
according to said random digital code of the sec- 
ond field. 
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